Topics

1

17.1 Legacy Series / Intrusion Detection Clarification

« on: July 20, 2017, 05:52:36 pm »

Hello!

I'm in the process of setting up intrusion protection with Suricata and I am a bit confused after looking at the options and reading the documentation.

What does the "IPS Mode" setting exactly do? I see that it says it blocks traffic. What kind of traffic? Does it block all my rules, even the ones that I have set to alert only?

I want to be able to pick and choose which rules should be blocked, which rules should log alerts and allow, and which rules should be ignored. Does IPS mode need to be enabled to do this?

2

17.1 Legacy Series / Locked out of OPNSense after enabling Intrusion Detection on LAN interface

« on: July 18, 2017, 08:41:09 pm »

So I was configured Intrusion Protection on my OPNSense router and I enabled it for the WAN interface. Everything went well, I was receiving a lot of alerts and realized that some of them are low threat alerts that I didn't need. I then enabled the LAN interface as well (I was just receiving alerts from my WAN IP address to external hosts). This is when things broke. I am now not able to get into the web interface or SSH of my OPNSense box. All rules were set to alerts except for the Abuse.ch rules which were set to drop. I also created rules to automatically drop packets from different geographical locations (China, Russia, India).

To make matters worse, the actual console seems unresponsive. I plugged a keyboard and monitor in to my OPNSense box and I am not able to do anything. A reboot did nothing either.


The console output displays this:
GEOM_MIRROR: Device mirror/opnsenseMirror launched (2/2)
timecounter "TSC-low" frequency 1750032538 Hz Quality 1000
Trying to mount root from ufs:/dev/mirror/opnsenseMirror1a [rw]...
uhub0: 2 ports with 2 removable, self powered
uhub1: 2 ports with 2 removable, self powered
ugen1.2: <vendor 0x8087> at usbus1
uhub2: <vendor 0x807 product 0x8000, class 9/0, rev 2.00/0.05, addr 2> on usbus1


And it just stops there. Pressing enter on the keyboard does nothing. If I unplug the keyboard, I get output that the usb was unplugged.

Alt+sysrq+reisub doesn't seem to do anything either, but pressing the power button on my box shuts down the system. Is there anyway to interupt the boot process of OPNsense so I can disable the intrusion protection and get my system working again?

3

17.1 Legacy Series / Issue with I340-T4 Intel 82580 Network controller

« on: March 21, 2017, 07:54:50 pm »

I have an Intel 82580 Network controller that I've been having issues with.

I just have a very simple network on it.
OPNSense via igb0 82580 port (10.134.0.1) ---> TP-Link Switch (10.134.0.2)


When the OPNSense box starts up, everything works fine. I can connect to the switch and all devices attached to the switch. Then, for no apparent reason, the connection between the switch and OPNSense box breaks. Both devices still see an active connection, but the OPNSense box loses the ARP entries it had for the switch and devices on the switch. They only way to get the connection back is to reboot the OPNSense box. Sometimes it will go hours without losing the ARP entries, sometimes only minutes.

I had a VyOS router in place of the OPNSense box before and never had these issues so I know there is nothing wrong with the switch.

4

17.1 Legacy Series / Internal NAT hosts not being resolved correctly from Public DNS Servers

« on: March 21, 2017, 07:48:09 pm »

Hello all,

I have an odd situation. I have many 1-1 NAT rules for internal hosts. These all work correctly unless you are trying to reach the NAT host from within the network using a public DNS server such as Googles (8.8.8.8, 8.8.4.4).

With NAT reflection enabled, the host just times out
With NAT reflection disabled, I get a A potential DNS Rebind attack has been detected message.
If I disable DNS rebinding checks, I am prompted with the OPNSense login screen for some reason.

I'm pretty sure that in both cases, the traffic is just getting to the OPNSense box and displaying the web server from it instead of the internal NAT host.

5

17.1 Legacy Series / Weird IPSec VPN Issue. Client cannot even ping internet or itself

« on: March 21, 2017, 07:39:57 pm »

I have a wierd IPSec issue going on. I set up my IPSec VPN following this guide: https://docs.opnsense.org/manual/how-tos/ipsec-road.html

Everything is the same except that Negotiation mode is set to Main. Aggressive did not work.

My virtual address pool is 10.140.0.0/24
My OPNSense IP is 192.168.0.101
My LAN address is 10.128.0.0/16


My client can successfully connect and is given the ip address 10.140.0.1 from the OPNSense server. When I try to ping that address from the client, it times out. I also cannot ping or connect to anything... not even google's public DNS servers. It's like it's trying to send all traffic through the VPN.

My internal hosts can ping the IPSec client. For example, a machine at 10.128.0.50 can ping 10.140.0.1, but 10.140.0.1 cannot ping 10.128.0.50.

If I start a packet capture on the IPSec interface, I can see the ICMP request and replies... even the ones that do not go through to 10.128.0.50. If I ping 10.128.0.50 from my vpn client, the client never sees the reply and times out, but the packet capture shows the request and reply. If I ping the client from the client, all I see it the request, no reply.


I'm thinking something is wrong with the VPN routing table... My environment is slightly different the the example in the docs. My LAN address on the OPNSense box is 192.168.0.101, which connects to another router at 192.168.0.102. That internal router has the subnet 10.128.0.1 which I want the VPN clients t connect to.

6

16.7 Legacy Series / L2TP/IPsec issues with PSK

« on: September 29, 2016, 08:53:14 pm »

Hey Everyone,

I'm trying to set up a L2TP/IPsec VPN. I believe my settings are correct, but when I try to connect to the VPN I get the following error on OSX:

Code: [Select]

The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.
My IPsec logs look like this:

Code: [Select]

Sep 29 14:43:31 charon: 07[NET] sending packet: from yy.yy.yy.yy[500] to xx.xx.xx.xx[500] (56 bytes)
Sep 29 14:43:31 charon: 07[ENC] generating INFORMATIONAL_V1 request 3734048287 [ N(INVAL_KE) ]
Sep 29 14:43:31 charon: 07[IKE] no shared key found for yy.yy.yy.yy - xx.xx.xx.xx
Sep 29 14:43:31 charon: 07[IKE] <3> no shared key found for yy.yy.yy.yy - xx.xx.xx.xx
Sep 29 14:43:31 charon: 07[IKE] no shared key found for 'yy.yy.yy.yy'[yy.yy.yy.yy] - '(null)'[xx.xx.xx.xx]
Sep 29 14:43:31 charon: 07[IKE] <3> no shared key found for 'yy.yy.yy.yy'[yy.yy.yy.yy] - '(null)'[xx.xx.xx.xx]
Sep 29 14:43:31 charon: 07[IKE] remote host is behind NAT
Sep 29 14:43:31 charon: 07[IKE] <3> remote host is behind NAT
Sep 29 14:43:31 charon: 07[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Sep 29 14:43:31 charon: 07[NET] received packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (228 bytes)
Sep 29 14:43:31 charon: 07[NET] sending packet: from yy.yy.yy.yy[500] to xx.xx.xx.xx[500] (160 bytes)
Sep 29 14:43:31 charon: 07[ENC] generating ID_PROT response 0 [ SA V V V V ]
Sep 29 14:43:31 charon: 07[IKE] xx.xx.xx.xx is initiating a Main Mode IKE_SA
Sep 29 14:43:31 charon: 07[IKE] <3> xx.xx.xx.xx is initiating a Main Mode IKE_SA
Sep 29 14:43:31 charon: 07[IKE] received DPD vendor ID
Sep 29 14:43:31 charon: 07[IKE] <3> received DPD vendor ID
Sep 29 14:43:31 charon: 07[IKE] received FRAGMENTATION vendor ID
Sep 29 14:43:31 charon: 07[IKE] <3> received FRAGMENTATION vendor ID
Sep 29 14:43:31 charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 29 14:43:31 charon: 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 29 14:43:31 charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Sep 29 14:43:31 charon: 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Sep 29 14:43:31 charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Sep 29 14:43:31 charon: 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Sep 29 14:43:31 charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Sep 29 14:43:31 charon: 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Sep 29 14:43:31 charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Sep 29 14:43:31 charon: 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Sep 29 14:43:31 charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Sep 29 14:43:31 charon: 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Sep 29 14:43:31 charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Sep 29 14:43:31 charon: 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Sep 29 14:43:31 charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Sep 29 14:43:31 charon: 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Sep 29 14:43:31 charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Sep 29 14:43:31 charon: 07[IKE] <3> received draft-ietf-ipsec-nat-t-ike vendor ID
Sep 29 14:43:31 charon: 07[IKE] received NAT-T (RFC 3947) vendor ID
Sep 29 14:43:31 charon: 07[IKE] <3> received NAT-T (RFC 3947) vendor ID
Sep 29 14:43:31 charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Sep 29 14:43:31 charon: 07[NET] received packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (788 bytes)
The "no shared key" log doesn't seem right. I do have a shared key set in my settings. Here is what my ipsec.conf file looks like:

Code: [Select]

# This file is automatically generated. Do not edit
config setup
  uniqueids = yes
  charondebug=""

conn con1
  aggressive = yes
  fragmentation = yes
  keyexchange = ikev1
  reauth = yes
  rekey = yes
  forceencaps = yes
  installpolicy = yes
  type = tunnel
  dpdaction = clear
  dpddelay = 90s
  dpdtimeout = 540s
  left = 67.248.71.80
  right = %any
  leftid = 67.248.71.80
  ikelifetime = 28800s
  lifetime = 3600s
  rightsourceip = 10.133.27.0/24
  ike = aes256-sha1-modp1024!
  leftauth = psk
  rightauth = psk
  rightauth2 = xauth-generic
  rightsubnet = 10.133.27.0/24
  leftsubnet = 0.0.0.0/0
  esp = aes128-sha1!
  auto = add

And here is what my ipsec.secrets file looks like:

Code: [Select]

any : PSK "MySh@r3dS3cr3t"
Any where else I should be looking? Any help is appreciated. I've been trying to troubleshoot this for wayyy to long.

Thanks,
Chris

7

16.7 Legacy Series / OpenVPN Peer to Peer SSL/TLS Issues. Importing an existing OpenVPN setup

« on: September 23, 2016, 08:11:51 pm »

I have an OpenVPN setup installed on a VyOS server that is working great. I plan on moving this OpenVPN setup to my new OPNsense server. I imported the existing CA, server cert, client cert and key. I think I have the server setup identical.

The client looks like it successfully connects and I can see the client when I click on "Connection Status". After 4 minutes though, the client disconnects. Here is the OpenVPN Server log:

Code: [Select]

Sep 23 14:03:20 openvpn[59853]: abel/x.x.x.x:54675 SIGUSR1[soft,ping-restart] received, client-instance restarting
Sep 23 14:03:20 openvpn[59853]: abel/x.x.x.x:54675 [abel] Inactivity timeout (--ping-restart), restarting
Sep 23 13:59:20 openvpn[59853]: abel/x.x.x.x:54675 SENT CONTROL [abel]: 'PUSH_REPLY,route 10.128.0.0 255.255.0.0,route 10.129.0.0 255.255.0.0,route 10.130.0.0 255.255.0.0,route 10.131.0.0 255.255.0.0,route 10.132.0.0 255.255.0.0,route-gateway 10.133.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.133.0.30 10.133.0.1' (status=1)
Sep 23 13:59:20 openvpn[59853]: abel/x.x.x.x:54675 send_push_reply(): safe_cap=940
Sep 23 13:59:20 openvpn[59853]: abel/x.x.x.x:54675 PUSH: Received control message: 'PUSH_REQUEST'
Sep 23 13:59:18 openvpn[59853]: abel/x.x.x.x:54675 MULTI: Learn: 10.133.3.0/24 -> abel/x.x.x.x:54675
Sep 23 13:59:18 openvpn[59853]: abel/x.x.x.x:54675 MULTI: internal route 10.133.3.0/24 -> abel/x.x.x.x:54675
Sep 23 13:59:18 openvpn[59853]: abel/x.x.x.x:54675 MULTI: primary virtual IP for abel/x.x.x.x:54675: 10.133.0.30
Sep 23 13:59:18 openvpn[59853]: abel/x.x.x.x:54675 MULTI: Learn: 10.133.0.30 -> abel/x.x.x.x:54675
Sep 23 13:59:18 openvpn[59853]: abel/x.x.x.x:54675 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/1/abel
Sep 23 13:59:18 openvpn[59853]: x.x.x.x:54675 [abel] Peer Connection Initiated with [AF_INET]x.x.x.x:54675
Sep 23 13:59:18 openvpn[59853]: x.x.x.x:54675 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Sep 23 13:59:18 openvpn[59853]: x.x.x.x:54675 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 23 13:59:18 openvpn[59853]: x.x.x.x:54675 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sep 23 13:59:18 openvpn[59853]: x.x.x.x:54675 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 23 13:59:18 openvpn[59853]: x.x.x.x:54675 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sep 23 13:59:18 openvpn[59853]: x.x.x.x:54675 VERIFY OK:
Sep 23 13:59:18 openvpn[59853]: x.x.x.x:54675 VERIFY SCRIPT OK:
Sep 23 13:59:18 openvpn[59853]: x.x.x.x:54675 VERIFY OK:
Sep 23 13:59:18 openvpn[59853]: x.x.x.x:54675 VERIFY SCRIPT OK:
Sep 23 13:59:17 openvpn[59853]: x.x.x.x:54675 TLS: Initial packet from [AF_INET]x.x.x.x:54675, sid=f01f307d 4e3b80cd
I have also set my keepalive setting to this in the "Advanced Configuration" field: keepalive 10 120;

That was the same keepalive setting I had on the VyOS server.

Any help is greatly appreciated!

8

16.1 Legacy Series / e2guardian setup

« on: June 28, 2016, 09:41:26 pm »

Hello all!

I'm trying out OPNsense for use at a school. Our current content filtering is done by Dansguardian. e2guardian is the new fork. I'm done some searches and saw the e2guardian has been requested before. I'm looking for a guide on how to set it up with OPNsense.

Here are the 2 previous forum posts about e2guardian:
https://forum.opnsense.org/index.php?topic=364.0
https://forum.opnsense.org/index.php?topic=1551.0

Franco says that "pkg add e2guardian" should bring it to the system, but it does not on version 16.1.17

I've installed it with this command:
pkg add http://pkg.freebsd.org/freebsd:10:x86:64/release_3/All/e2guardian-3.0.4_1.txz

I've also found a port for e2guardian here: https://github.com/opnsense/ports/tree/master/www/e2guardian

But I'm not sure what to do from here. I don't see any lists or config files. Here are instructions on how to manually install it to pfsense: http://knes1.github.io/blog/2015/2015-07-18-manually-installing-e2guardian-to-pfsense.html

Any way we could bring this to the gui? If not, how can I configure it? Where are the config files located?